added win events
This commit is contained in:
parent
d797981a6d
commit
6bd59faa8f
|
|
@ -2,7 +2,8 @@
|
||||||
|
|
||||||
## Dump Logfile
|
## Dump Logfile
|
||||||
|
|
||||||
Windows Event Logfiles can be dumped via
|
Windows event logs can be found under `C:\Windows\System32\winevt\Logs`.
|
||||||
|
Windows Event Logfiles can also be dumped via
|
||||||
|
|
||||||
```sh
|
```sh
|
||||||
evtx_dump $EVENT_LOG > event.log
|
evtx_dump $EVENT_LOG > event.log
|
||||||
|
|
@ -24,23 +25,41 @@ Get-WinEvent -FilterHashTable @{LogName='<Category>';ID='<Event IDs>'} | fl
|
||||||
|
|
||||||
### Process
|
### Process
|
||||||
|
|
||||||
* **1**: Process Creation
|
* **1**: Process Creation (Applications & Services -> Microsoft -> Windows ->
|
||||||
|
Sysmon -> Operational)
|
||||||
|
* **4688**: Process Creation (Windows Logs -> Security)
|
||||||
|
|
||||||
### Files
|
### Files
|
||||||
|
|
||||||
* **11**: File opened
|
* **11**: File opened (Applications & Services -> Microsoft -> Windows ->
|
||||||
|
Sysmon -> Operational)
|
||||||
|
* **4656**: File changed (Windows Logs -> Security)
|
||||||
|
* **13**: Registry value set (Applications & Services -> Microsoft -> Windows ->
|
||||||
|
Sysmon -> Operational)
|
||||||
|
* **4657**: Registry value set (Windows Logs -> Security)
|
||||||
|
|
||||||
|
### Network
|
||||||
|
|
||||||
|
* **3** Network connection (Sysmon, path shown above)
|
||||||
|
* **22** DNS query (Sysmon, path shown above)
|
||||||
|
|
||||||
### Account Management
|
### Account Management
|
||||||
|
|
||||||
|
The `subject` is the account doing an action on an `object`.
|
||||||
|
|
||||||
* **4719**: Attempt to change a policy
|
* **4719**: Attempt to change a policy
|
||||||
* **4720**: User account creation
|
* **4720**: User account creation
|
||||||
* **4722**: User account enabled
|
* **4722**: User account enabled
|
||||||
* **4723**: Attempt to change an account password. The user attempts to change their password
|
* **4723**: Attempt to change an account password. The user attempts to change
|
||||||
* **4724**: Attempt to reset the account password. The user attempts to reset the password of another account
|
their password
|
||||||
|
* **4724**: Attempt to reset the account password. The user attempts to reset
|
||||||
|
the password of another account
|
||||||
* **4725**: Account disable
|
* **4725**: Account disable
|
||||||
* **4726**: Account removed from systemved from system
|
* **4726**: Account removed from systemved from system
|
||||||
* **4728**: Attempt to add an account to a global security group
|
* **4728**: Attempt to add an account to a global security group
|
||||||
* **4729**: Attempt to remove an account from a global security group
|
* **4729**: Attempt to remove an account from a global security group
|
||||||
|
* **4732**: User was added to a security group (like Administrators)
|
||||||
|
* **4733**: User was removed from a security group (like Administrators)
|
||||||
* **4738**: User account properties were changed
|
* **4738**: User account properties were changed
|
||||||
* **4740**: User account was locked after repeated attempt of access
|
* **4740**: User account was locked after repeated attempt of access
|
||||||
* **4756**: Attempt to add an account to a universal security group
|
* **4756**: Attempt to add an account to a universal security group
|
||||||
|
|
@ -50,11 +69,19 @@ Get-WinEvent -FilterHashTable @{LogName='<Category>';ID='<Event IDs>'} | fl
|
||||||
|
|
||||||
### Account Logon
|
### Account Logon
|
||||||
|
|
||||||
* **4624**: Successful logon
|
These can be found via `Event Viewer` under `Windows Logs` -> `Security`.
|
||||||
* **4625**: Failed logon
|
The `Logon ID` is the session identifier.
|
||||||
|
|
||||||
|
* **4624**: Successful logon/login
|
||||||
|
* **4625**: Failed logon/login
|
||||||
* **4634** and **4647**: Logoff
|
* **4634** and **4647**: Logoff
|
||||||
* **4779**: Session disconnect
|
* **4779**: Session disconnect
|
||||||
|
|
||||||
|
### Logon Types
|
||||||
|
|
||||||
|
* **10**: RDP
|
||||||
|
* **3**: Network
|
||||||
|
|
||||||
### Scheduled Tasks
|
### Scheduled Tasks
|
||||||
|
|
||||||
* **4698**: Scheduled task creation
|
* **4698**: Scheduled task creation
|
||||||
|
|
@ -71,6 +98,8 @@ Get-WinEvent -FilterHashTable @{LogName='<Category>';ID='<Event IDs>'} | fl
|
||||||
|
|
||||||
### Security
|
### Security
|
||||||
|
|
||||||
|
These can be found via `Event Viewer` under `Windows Logs` -> `Security`
|
||||||
|
|
||||||
* **1100**: Logging service disabled
|
* **1100**: Logging service disabled
|
||||||
* **1102**: Log deletion
|
* **1102**: Log deletion
|
||||||
* **1116**: Windows Defender Malware detection
|
* **1116**: Windows Defender Malware detection
|
||||||
|
|
@ -87,6 +116,9 @@ Applications and Services Logs -> Windows Powershell and Apps and Services Logs
|
||||||
* **600**: Opening Powershell
|
* **600**: Opening Powershell
|
||||||
* **4104**: Powershell command executed
|
* **4104**: Powershell command executed
|
||||||
|
|
||||||
|
In addition check Powershell's history file on path
|
||||||
|
`C:\Users\%USER%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt`
|
||||||
|
|
||||||
## RDP
|
## RDP
|
||||||
|
|
||||||
Applications and Services Logs -> Microsoft -> Windows ->
|
Applications and Services Logs -> Microsoft -> Windows ->
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue